Slashdot Mirror

← Back to Stories (view on slashdot.org)

Source Code To Google Authentication System Stolen

Posted by kdawson on from the crown-jewels dept.

Aardvark writes "More details are coming out about the extent of the break-in at Google a few months ago. The NY Times is reporting that one of the things stolen was the source code to Google's single sign-on authentication system, called Gaia. Though Google is making changes to the system, the theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future. No wonder that Eric Schmidt recently said they've become paranoid about security."

24 of 306 comments (clear)

  1. Paranoid about security? by Anonymous Coward · · Score: 5, Insightful

    Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

    1. Re:Paranoid about security? by WrongSizeGlass · · Score: 5, Insightful

      Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

      What they meant was your privacy didn't matter to them.

    2. Re:Paranoid about security? by coolgeek · · Score: 4, Insightful

      Really, this shouldn't matter, unless they are doing something they should not be doing.

      --

      cat /dev/null >sig
    3. Re:Paranoid about security? by d'baba · · Score: 3, Insightful

      Am agreeing here. Am reminded of article which said. "Microsoft is a bunch of arrogant business people. Google is a bunch of arrogant engineers."
      If security depends on code it is insecure. Period.
      If security depends on people it is insecure. Period.
      It is insecure. Period.
      ----
      Hypertext isn't what it's marked up to be.

    4. Re:Paranoid about security? by martin-boundary · · Score: 5, Insightful
      Except that when others (some journalists from CNET) (ab)used the data about Eric Schmidt that was broadcast far and wide on the intarclouds, Google complained and blackballed everybody from CNET for a year.

      Who knew they only meant that we shouldn't overreact?

  2. Many eyes = problem? by choongiri · · Score: 5, Insightful

    So, Schmidt is worried because google was relying on security through obscurity?

    1. Re:Many eyes = problem? by Gamer_2k4 · · Score: 5, Insightful

      So, Schmidt is worried because google was relying on security through obscurity?

      Whoever modded you Flamebait was dead wrong. Open disclosure is one of the major principles of security, and security through obscurity is an awful thing to trust in. It's true that openly available systems can be more susceptible to attacks, but a sufficiently robust system should be able to stand up to the scrutiny.

    2. Re:Many eyes = problem? by Anonymous Coward · · Score: 5, Insightful

      I can appreciate that security through obscurity is false, but I kinda got the impression that they weren't really relying on obscurity, rather the enemy now has that much better a chance of finding something they missed. Can you say with absolute certainty that any open source software is absolute bulletproof? Even OpenSSH and OpenSSL have released numerous minor revisions to fix potential security exploits. Being open source doesn't automatically mean it's more secure, but when you've got a ton riding on some piece of software I think a bit of paranoia is justified.

    3. Re:Many eyes = problem? by macshit · · Score: 3, Insightful

      that they weren't really relying on obscurity, rather the enemy now has that much better a chance of finding something they missed

      That's called relying on obscurity. If having the source code lets you find something Google missed, that means Google missed something.

      No, it doesn't. There's a big difference between relying on obscurity -- which google, apparently, was not -- and simply being concerned because the bad guys have more ability to search for flaws.

      The latter is a pretty natural human reaction to an event like this, regardless of how well designed their security system is, because all designs, and all code, potentially contains flaws, even if designed and implemented by the most brilliant security researchers.

      --
      We live, as we dream -- alone....
  3. Don't change it, release it by Logos · · Score: 5, Insightful

    Seriously, the bad guys already have it, so enlist the help of the security community to improve it.

    --
    We are agents of the free
  4. Open source it by ka9dgx · · Score: 4, Insightful

    They should open source it, since a copy is out on the loose anyway. This could work to their advantage.

    I still think capability based security is the only workable long term solution..

  5. Re:so? by Urza9814 · · Score: 5, Insightful

    i'd love to see /. put their source out there, money where their mouth is so to speak.

    ...You mean like http://www.slashcode.com/about.shtml ?

  6. Re:"Source Code [...] Stolen" by LingNoi · · Score: 3, Insightful

    Being positive today I'm going to go with maybe English isn't your first language. Here is a definition..

    steal - take without the owner's consent; "Someone stole my wallet on the train"; "This author stole entire paragraphs from my dissertation"

    They took the code without Google's consent, hence they stole it.

  7. It's all about leverage by el_flynn · · Score: 5, Insightful

    From TFA: "By clicking on a link [sent on Microsoft Messenger] and connecting to a 'poisoned' Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team."

    I don't know about you, but I'm quite shocked at how an innocuous thing like this can lead to the theft of "one of Google's crown jewels". Are their security practises that lax over there in Google China? And, considering that this happened to Google - a leading Tech-savvy company - how many other corporations and conglomerates have already been hit by a similar attack? Banks? Military? Oil and Gas? Heck, MSFT?? After all, TFA reported that it was a "lightning raid that lasted less than two days".

    And yeah, while TFA sounds like Luddite fear-mongering, I think it's a valid concern for everyone.

    --
    The Wknd Sessions - Malaysian and South East Asia independent music
  8. Re:Cloud security? by MorderVonAllem · · Score: 4, Insightful

    By clicking on a link and connecting to a "poisoned" Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google's headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.

    Unless it's a flaw directly within the messenger software rather than the user who clicked the link...Microsoft wasn't really involved...

  9. the level of interest and sophistication by circletimessquare · · Score: 4, Insightful

    matched the target

    that is, the economics of the attack is not a common one: your average podunk company offers what, exactly? and i'm not even talking in terms of financial possibilities, i'm talking in terms of corporate and political espionage, which the chinese government is interested in, not common robbery. because with google, if you break in, you get such a huge payoff in terms of strategic intelligence, unlike any other exploitable entity. so somewhere in china, a stable of minds are focused like a laser on you

    and structurally, security wise, the problem is the same as terrorism: the good guys have to be vigilant all the time, they can't fail ever. while the bad guys: they can screw up time and again, that's ok. they learn even. they only need to get in once. so even if you are google, no, ESPECIALLY if you are google because you're such a fabled target, you are at a strategic disadvantage, even with all your resources, to be hacked. those who want to hack you are ready to invest heavily into hacking you: its a good investment, because the payoff is gargantuan, the economics of the security situation works against google

    the REAL lesson is for us, the common joe blows of the world: don't put all of your eggs in one basket. have an ecosystem of interdepndent accounts with different companies. don't do EVERYTHING at google, or their exposure is your exposure

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  10. Re:"Source Code [...] Stolen" by Anonymous Coward · · Score: 5, Insightful

    They took the Movie without paying for MPAA consent, hence they stole it.

    We like to change the meaning of the words when it's convenient for us

  11. Re:Wrong security model by grcumb · · Score: 3, Insightful

    "theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future"

    As Bruce Schenier said, security through obscurity does not work...

    Are you sure he said that, or did he say that it was wrong to rely on security through obscurity? Obscurity (i.e. not telling tales out of school) is one valid element of an overall security model.

    --
    Crumb's Corollary: Never bring a knife to a bun fight.
  12. Re:Paranoia by causality · · Score: 3, Insightful

    This sounds very very bad to me, the worst fact being that security and paranoia always lead to bad decisions and breaches of rights. Even if we believe google's do no evil policy if they are pushed far enough they will become something we don't want.

    So don't use their services except perhaps for their search engine, and even then in a highly controlled fashion (NoScript, no cookies, no redirections, no HTTP Ping, no Google Analytics, etc). It's how I deal with my concerns about them.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  13. Re:"Source Code [...] Stolen" by Animaether · · Score: 3, Insightful

    My point exactly - no matter how much it's modded "Off-topic" currently :D /karma

  14. Re:More Eyes - if you publish by rtfa-troll · · Score: 3, Insightful

    Yes; well the truth is that only if those eyes are looking (I'm sure the crackers will be). But still, it's yet another example that not publishing your source code just means that the only eyes looking other than your own are hostile eyes. Google should now publish the source code to this system and more of their other internal stuff that others could use and share.

    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  15. Re:Not quite as "insightful" as the mods think. by metacell · · Score: 4, Insightful

    Plagiarism isn't theft, it's just plagiarism.

    Downloading a copyrighted mp3 is not theft, it's copyright infringement.

    Using someone elses patented invention isn't theft, it's patent infringement.

    And so on.

  16. Re:Cloud security? by RzUpAnmsCwrds · · Score: 4, Insightful

    Oh, except it was microsoft's operating system, and microsoft's messenger. I don't understand this concept of computing where you can click in "the wrong link". I can click in whatever link I want, and that is not supposed to destroy my computer. I use Pidgin on GNU/Linux. I can click on ANY link that I want. Clicking on the link won't do anything besides opening it on a browser, or asking me to download it

    Your attitude of invincibility is both dangerous and stupid. Firefox, like all web browsers, is complex software that has a long history of vulnerabilities. One buffer overflow vulnerability (and Firefox has a history of such vulnerabilities) is enough to run arbitrary code on your system.

    Except I sudo su and chmod +x $file and ./$file nothing is going to happen.

    Not true. The software you use every day almost certainly has security vulnerabilities that may allow code execution. History has shown that determined hackers have little trouble finding one.

    But we hear all the time from windows users getting randomly infected with malware by just clicking on a fucking URL, or going to the wrong site, etc.

    No, mostly we hear those stories from people who don't know what the hell they're talking about. If you download and run some arbitrary executable, well, yeah, you can get infected. The same could happen if you went and installed a malicious deb/rpm.

    Those people who truly *were* infected by "just clicking on a fucking URL" (and not by deliberate acts of stupidity on their part) are victims of software vulnerabilities. And those vulnerabilities exist on every platform.

    Oh, except it was microsoft's operating system, and microsoft's messenger.

    Neither Microsoft's OS nor their messenger software had anything to do with this hole, although Internet Explorer might. Neither the messenger software nor the OS were vulnerable; the vulnerability was most likely either in the web browser or a plugin like Flash.

  17. Re:Not quite as "insightful" as the mods think. by metacell · · Score: 3, Insightful

    According to the definition of deprivation you quote, it's not enough to cause the property to lose value. You have to withhold it from the rightful owner so that it loses value. And the hackers weren't able to withhold Googles own source code from them.